Re: guix.gnu.org sub-domain
Le 9 avril 2019 03:48:02 GMT+02:00, Chris Marusich a écrit : >Hi Julien, > >Thank you for working on this! > >Julien Lepiller writes: > >> I'm still unsure about how to update the certificates with the dns >> challenge. I found a script that could help us with updating the zone >> served by knot when it's configured as a master. >> >> We could use that to update the required txt record, but we also need >> to make sure the change is propagated to the other server, because we >> don't know which server will be asked to answer the challenge. >> >> With a further delegation of the record for the dns challenge we can >> have two masters, but I'm still stuck at finding a way to communicate >> the challenge between the two servers. >> >> Ideas? > >Can we update the DNS dynamically [1]? Can you share the script? > >I still don't know as much about Knot as I should, but I'm surprised >that a change to the primary server's database would not be propagated >to the secondary server's database automatically. Can you elaborate on >what goes wrong, or maybe explain (even at a high level) how I can try >reproducing the problem with cert renewal locally? > >Footnotes: >[1] https://tools.ietf.org/html/rfc2136 What I found consists in using knotc to update the zone served by knot with knotc, but it only update it locally (and to slaves). So we have no issue with that method when we want to automate certs from the primary, but I don't know how to propagate the change back to the master when we ask for certs on the secondary. I'll have a look at the rfc.
Re: guix.gnu.org sub-domain
Hi Julien, Thank you for working on this! Julien Lepiller writes: > I'm still unsure about how to update the certificates with the dns > challenge. I found a script that could help us with updating the zone > served by knot when it's configured as a master. > > We could use that to update the required txt record, but we also need > to make sure the change is propagated to the other server, because we > don't know which server will be asked to answer the challenge. > > With a further delegation of the record for the dns challenge we can > have two masters, but I'm still stuck at finding a way to communicate > the challenge between the two servers. > > Ideas? Can we update the DNS dynamically [1]? Can you share the script? I still don't know as much about Knot as I should, but I'm surprised that a change to the primary server's database would not be propagated to the secondary server's database automatically. Can you elaborate on what goes wrong, or maybe explain (even at a high level) how I can try reproducing the problem with cert renewal locally? Footnotes: [1] https://tools.ietf.org/html/rfc2136 -- Chris signature.asc Description: PGP signature
Re: guix.gnu.org sub-domain
Le 8 avril 2019 10:59:36 GMT+02:00, "Ludovic Courtès" a écrit : >Hello Julien, > >Ricardo Wurmus skribis: > >> I just went through the list of things that we wanted to accomplish >> before releasing 1.0. One of them is the use of a guix.gnu.org >> sub-domain. >> >> Could you please let us know what the current status is regarding the >> Knot DNS server configuration? > >A friendly ping. :-) > >Thanks, >Ludo’. I'm still unsure about how to update the certificates with the dns challenge. I found a script that could help us with updating the zone served by knot when it's configured as a master. We could use that to update the required txt record, but we also need to make sure the change is propagated to the other server, because we don't know which server will be asked to answer the challenge. With a further delegation of the record for the dns challenge we can have two masters, but I'm still stuck at finding a way to communicate the challenge between the two servers. Ideas?
Re: guix.gnu.org sub-domain
Hello Julien, Ricardo Wurmus skribis: > I just went through the list of things that we wanted to accomplish > before releasing 1.0. One of them is the use of a guix.gnu.org > sub-domain. > > Could you please let us know what the current status is regarding the > Knot DNS server configuration? A friendly ping. :-) Thanks, Ludo’.
guix.gnu.org sub-domain
Hi Julien, I just went through the list of things that we wanted to accomplish before releasing 1.0. One of them is the use of a guix.gnu.org sub-domain. Could you please let us know what the current status is regarding the Knot DNS server configuration? Cheers, -- Ricardo
Re: guix.gnu.org sub-domain
On 2018-12-15 3:20 PM, Chris Marusich wrote: > Hi Ludo, > > Ludovic Courtès writes: > >> I’m sure Julien wouldn’t mind getting some help or insight, so please do >> get in touch! > > OK, I'll speak privately with Julien about the DNS setup to avoid adding > noise to this email thread. > > -- > Chris > Hi Chris, Julien, Any update on this? I too had asked Ludo about DNS for guix.gnu.org a couple of weeks ago, and he’d pointed me to the bayfront.scm [1] config file, but I was swamped with work and only recently have found a bit of free time on my hands. While looking for information about Knot, I also stumbled upon Julien’s configuration [2]. I was wondering if y’all were able to spend any time on this, and if so, if you ended up committing your progress anywhere? Best, amin Footnotes: [1] https://git.savannah.gnu.org/cgit/guix/maintenance.git/tree/hydra/bayfront.scm [2] https://lepiller.eu/ma-configuration.html
Re: guix.gnu.org sub-domain
Hi Ludo, Ludovic Courtès writes: > I’m sure Julien wouldn’t mind getting some help or insight, so please do > get in touch! OK, I'll speak privately with Julien about the DNS setup to avoid adding noise to this email thread. -- Chris signature.asc Description: PGP signature
guix.gnu.org sub-domain
Hi Chris, Chris Marusich skribis: > Ludovic Courtès writes: > >> Regarding the GNU sub-domain, as I replied to Meiyo, I’m in favor of it, >> all we need is someone to champion setting it up. > > I could help with this. Whom should I contact? We discussed this over the last few days in Paris and Julien (roptat on IRC) volunteered to come up with a Knot service setup for bayfront.scm. When that’s ready, we can contact the FSF sysadmins so they delegate to bayfront. I’m sure Julien wouldn’t mind getting some help or insight, so please do get in touch! Ludo’.
